I just came across a security issue relevant to this discussion. Gitea (a GitHub alternative hosted on GitHub) just had its releases on GitHub compromised:
The solution they're going for is to GPG sign their releases. Another probably simpler way to resolve your concerns could be to just post the SHA256 hashes of the releases on an external domain and include directions to check the hash of the release from GitHub in the installation instructions.
I just came across a security issue relevant to this discussion. Gitea (a GitHub alternative hosted on GitHub) just had its releases on GitHub compromised:
github.com/go-gitea/gitea/issues/4167
The solution they're going for is to GPG sign their releases. Another probably simpler way to resolve your concerns could be to just post the SHA256 hashes of the releases on an external domain and include directions to check the hash of the release from GitHub in the installation instructions.
Yup, this is the direction I'll be going in as well.